Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 42aeef1b5f9d5310…

MALICIOUS

Office (OOXML) / .XLSX

267.4 KB Created: 2021-04-15 15:04:02 UTC Authoring application: Microsoft Excel 16.0300
MD5: 21a57dbd1dad6aec8edbbaeddabac81b SHA-1: f20bdcb3970bc9fabfff60628a71cfe318d4efe9 SHA-256: 42aeef1b5f9d53105bd3d9076b7634e1eed53f89c9e3577426f4c51441e4fca4
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical heuristic firing indicates the presence of an Excel 4.0 macro sheet, which is a known method for executing malicious code within Office documents. The external relationship to '2.xlsb' suggests the macro sheet is designed to interact with or retrieve additional malicious content. The macro sheet itself, 'xl/macrosheets/sheet1.bin', is the primary artifact for analysis. The script content is heavily obfuscated and truncated, preventing a detailed analysis of its exact actions, but the presence of the macro sheet strongly implies a payload execution or download attempt.

Heuristics 2

  • Excel 4.0 macro sheet (1 sheet(s)) critical OOXML_XLM_MACROSHEET
    Spreadsheet contains an Excel 4.0 (XLM) macro sheet — XLM was a major Office malware vector during 2020-2022 and evaded many VBA-focused controls before Microsoft tightened XLM defaults. Even legitimate XLM use is rare in modern workbooks. The macro sheet is stored as XLSB/BIFF12 binary content, which many XML-only OOXML scanners miss.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/pivotCache/_rels/pivotCacheDefinition1.bin.rels: 2.xlsb

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_sheet_00.bin
a3eead039f1a88490a67c11b5173f3d041450d03ff2aeb9ad71f75fb995a4037		 xlm-macrosheet OOXML XLM macro sheet: xl/macrosheets/sheet1.bin 1970 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.